Just 2 weeks left in 2009. Time to start collecting all the latest published research in preparation for the coveted Top Ten Web Hacking Techniques list!

Every year Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. We are not talking about individual vulnerability instances with CVE numbers, nor intrusions / incidents, but the actual new methods of Web attack. Some target the website, some target the browser, or somewhere in between.

Historically many of these works would permanently reside in obscure and overlooked corners of the Web. Now it its fourth year the list provides a centralized reference point and recognizes researchers who have contributed to the advancement of our industry.

The top ten winners will be selected by a panel of judges (names to be announced soon) on the basis of novelty, potential impact, and overall pervasiveness. Those researchers topping the list can expect to receive praise amongst their peers as have those in past years (2006, 2007, 2008).

Then coming up at IT-Defense (Feb.) and RSA USA 2010 (Mar.) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. Audiences get an opportunity to better understand the newest attacks believed most likely to be used against us in the future.

To make all this happen we are going to need a lot of help from the community. At the bottom of this post will be the living master list of everything published. If anything is missing, and we know for a fact there is, please comment containing the link to the research. We understand that while not every technique is as powerful as another, please make every effort to include them anyway, nothing should be considered too insignificant. You never know what method might be found useful another researcher down the road.

There are contributions by other researchers which is just the same as my own, but I did my own months and even years earlier :-). Like 0kn0ck's one about Yahoo Babelfish (which mentioned as #60). And also new 0kn0ck's comment about Google Translate.

So I recommend 0kn0ck to not touch my holes (which I found a long time before him) and find others (new ones) for himself ;-). I very often see such cases, when other people found my holes after months and years after me :-). There was such case with hole in images.google.com, and here are cases with Yahoo Babelfish and Google Translate. Anyway I wish everyone Merry Christmas and Happy New Year!

@0kn0ck, added #66. And please have a look at MustLive's work he cited. It does appear to look similar, but if not, would be helpful to know why. Either way, researchers including myself do cross paths with the work of others without knowing it.

There is no point of cross path as such. Primarily it is hard for a researcher to visit every blog or vice versa. It may be result as a same thing but the attack end points and explanation could vary depending to the disclosure done to the requisite vendor and their response.

Research titled "Advanced SQL injection to operating system full control" slides and whitepaper.Research titled "Expanding the control over the operating system from the database" slidesIt's by the same author of sqlmap. The best in the field!

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!